Support » Everything else WordPress » WordPress hacked/phished

  • Today I had my WordPress hacked not once, but twice! First time, the hackers added several dozen zipped files into the wp-includes/images folder that un-zipped into several additional folders that had names like viagra, cialas and the like. Each folder had several files including several html ‘phising’ pages that were aimed at sites like Lloyds TSB and Wells Fargo. It was activated and maxed out my email system with over 500 emails within an hour. About an hour and a half later, I got an email from RSA Security stating that a phising attack on the Lloyds TSB was traced back to my website! Their email also gave me the URL of where the file originated (the images folder). I corrected that problem and everything was good.

    Later the same evening, my entire site went down, again attacked through WordPress (several files were changed at the same time the site went down) that added a “new” index.html page in my public_html folder.
    I corrected that, but had to change/correct a couple of WordPress files to make it functional again.

    I’m afraid to see what tomorrow brings.

    My question is has anyone else had problems? If so, anyone have any idea on how to prevent this from happening or at least make it more difficult and/or easier to correct the changes after this occurs?

    I hate to remove WordPress because I have established a good list and client base and being a very public website, many visit for the info placed there.

    Thanks for any help/info.

    Ed Wardyga
    Dir. of Web Operations

Viewing 4 replies - 1 through 4 (of 4 total)
  • Looks like the same thing happened to me. I only found out about it because another site was referring to mine but I could not find the referral on that site. I looked at the referral site’s source and voila, there it was, hidden HTML, referring back to my blog directory for Viagra, Cialis, and a million other things. Here’s one of the hidden URLs:

    I cannot figure out where the malicious files are hidden on my server, however. They are not in the wp-includes/images folder as they are for you, Ed. I have looked in all directories and do not see anything untoward.

    I am PHP-stupid and also ignorant of the WordPress directory structure. Can anyone tell me how to fix this problem and prevent it from happening again?





    <meta name=”generator” content=”WordPress 2.0.2″ /> <!– leave this for stats –>

    Melmike, your problem stems from running a version of WP thats 1. outdated (a year old, or so), and 2. is well known for being exploitable.

    Upgrade your blog. Look in your member list for any rogue admin accounts. Change all of your passwords.

    In the process of upgrading, you ought to delete ALL of the files that currently exists on your server, except for wp-config.php

    1. Because that will make sure you have removed any edited or added files.

    2. Because it will insure that you upload all fresh files.

    Preventing it from happening again, means paying attention to what you see in your dashboard at wp-admin/index.php and reading this occasionally:

    Had you been, you would have seen this:

    PS/ Found the invading html files in the wp-content/cache directory. Deleted all and disabled the cache. However, the above URL that points to my server still works, so clearing the cache was obviously not the fix I thought it would be.

    I am using Yahoo/ATT’s hosting version of WordPress, 2.02.

    Thanks, Whooami, saw your reply after I posted my PS above. I have no control over the version as it comes from Yahoo/ATT and is automatically upgraded by them (though I can’t tell you whether they’ve actually ever upgraded it since I opened the blog). I imagine I’ll have to open a “full” WordPress blog and transfer the files from the Yahoo/ATT version to that. Meantime, thanks again for the instruction on how to fix before I export. Don’t want to export all that crap to a new blog.


Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WordPress hacked/phished’ is closed to new replies.